VPNs (Virtual Private Networks) create encrypted tunnels over untrusted networks like the internet. The CCNA 200-301 exam tests site-to-site VPN and remote access VPN concepts, IPsec fundamentals (AH vs ESP, IKE), and GRE tunneling. This guide covers the conceptual and practical differences between VPN types, what IPsec provides, and how these appear on the exam.
Practice this topic
A site-to-site VPN connects two or more networks over the internet, creating a permanent tunnel between them. The VPN endpoints — routers or firewalls at each site — negotiate the VPN, encrypt traffic, and decrypt it on the other end. End devices at each site have no awareness that a VPN is in use; they communicate as if directly connected.
Site-to-site VPNs replace or supplement dedicated WAN links (MPLS, leased lines). A company with headquarters and a branch office uses a site-to-site VPN so branch employees can access HQ resources securely over internet connectivity — which is cheaper than a dedicated private WAN link.
Configuration requires matching parameters at both ends: the same encryption algorithm, hashing algorithm, authentication method, and Diffie-Hellman group. Mismatched parameters are the most common reason VPN tunnels don't establish.
A remote access VPN connects individual users to the corporate network from anywhere — home, hotel, coffee shop. The user runs a VPN client (Cisco AnyConnect, OpenVPN) that creates a tunnel to the VPN concentrator at the corporate edge.
Remote access VPNs use either IPsec or SSL/TLS. SSL VPNs (like Cisco AnyConnect with SSL mode) work over HTTPS (TCP 443), which is rarely blocked by firewalls. IPsec remote access VPNs use IKE (UDP 500) and ESP (IP protocol 50), which some firewalls block.
Split tunneling controls whether all traffic from the client goes through the VPN or only corporate-destined traffic. With split tunneling enabled, a remote user's internet traffic goes directly to the internet while only traffic destined for corporate subnets traverses the VPN. This reduces VPN gateway load but removes corporate security policy inspection for internet traffic.
IPsec is a framework of protocols for securing IP communications. The two core protocols: AH (Authentication Header, IP protocol 51) provides data integrity and authentication but no encryption. ESP (Encapsulating Security Payload, IP protocol 50) provides data integrity, authentication, AND encryption. In practice, ESP is almost always used because AH doesn't encrypt — AH by itself offers no confidentiality.
IKE (Internet Key Exchange) negotiates the parameters and keys used by AH/ESP. IKE operates in two phases: Phase 1 establishes a secure management channel (ISAKMP SA) used to protect Phase 2 negotiations. Phase 2 negotiates the actual IPsec tunnel parameters (IPsec SA). IKEv2 (the modern version) is more efficient, more secure, and supports MOBIKE for mobile clients.
Transport mode vs Tunnel mode: Transport mode encrypts only the payload (used between hosts, typically for host-to-host encryption). Tunnel mode encapsulates the entire original IP packet (header + payload) and adds a new outer IP header — this is what site-to-site VPNs use. The original packet is hidden inside the tunnel.
GRE (Generic Routing Encapsulation, IP protocol 47) is not a VPN protocol — it doesn't encrypt. GRE creates logical point-to-point tunnels that can carry any Layer 3 protocol (IPv4, IPv6, OSPF multicast) between two routers. GRE tunnels allow routing protocols to run over the internet between sites that are separated by NAT or different network types.
GRE is often combined with IPsec: GRE provides the tunnel that allows routing protocol packets (which IPsec alone cannot carry) to flow between sites, and IPsec provides encryption. GRE over IPsec is the combination — IPsec encrypts the GRE-encapsulated packets.
For CCNA, understand that GRE by itself provides no security but solves the multicast/routing protocol problem. IPsec by itself doesn't support multicast. GRE + IPsec provides both tunneling flexibility and encryption.
| Aspect | Site-to-Site VPN | Remote Access VPN |
|---|---|---|
| Endpoints | Routers/firewalls at each site | VPN client on end-user device + VPN concentrator |
| Permanence | Always-on tunnel | On-demand (user initiates) |
| User awareness | Transparent to users | User installs and connects VPN client |
| Use case | Branch office to HQ | Remote workers, travelers |
| Protocols | IPsec (IKE + ESP) | IPsec or SSL/TLS (AnyConnect) |
| Split tunneling | Not typically applicable | Common option — only corporate traffic via VPN |
GRE is a secure tunneling protocol
GRE provides no encryption or authentication. It simply encapsulates packets in another IP packet. GRE must be combined with IPsec to provide security.
AH is preferred over ESP because it provides both authentication and encryption
AH provides authentication and integrity but NO encryption. ESP provides authentication, integrity, AND encryption. ESP is almost always preferred; AH alone is rarely used.
Split tunneling makes remote access VPN more secure
Split tunneling is a performance optimization that reduces VPN load, but it reduces security — internet traffic bypasses corporate security controls. Full tunneling sends all traffic through the VPN for inspection.
These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.
Which IPsec protocol provides both encryption and authentication for VPN traffic?
Explanation: ESP (Encapsulating Security Payload, IP protocol 50) provides both encryption (confidentiality) and authentication (integrity). AH provides only authentication, not encryption. GRE is not an IPsec protocol and provides no security. IKE negotiates keys but doesn't protect data traffic.
A company wants branch office employees to access HQ resources over the internet without any VPN client software. Which solution is appropriate?
Explanation: A site-to-site VPN between branch and HQ routers creates a permanent encrypted tunnel. Branch users connect normally without VPN client software — they're unaware of the VPN. The tunnel is terminated at the branch router, not on user devices.
Which protocol is used by IPsec to negotiate security parameters and exchange keys before establishing a VPN tunnel?
Explanation: IKE (Internet Key Exchange) negotiates IPsec parameters in two phases: Phase 1 establishes a secure management channel, and Phase 2 negotiates the actual IPsec SA (security association) for data tunnel parameters.
A GRE tunnel is configured between two routers to carry OSPF traffic. No additional configuration is added. Which statement is true?
Explanation: GRE provides encapsulation only — no encryption, no authentication. OSPF (and other routing protocols, including multicast) can run over GRE, but the traffic is unprotected. IPsec must be layered on top of GRE to provide encryption.
A remote user has split tunneling enabled on their VPN. Which traffic uses the VPN tunnel?
Explanation: With split tunneling enabled, only traffic destined for defined corporate subnets is sent through the VPN tunnel. All other traffic (internet browsing, streaming) goes directly to the internet, bypassing the VPN and reducing VPN gateway load.
Site-to-site VPN connects two networks (branch to HQ) using router/firewall endpoints — users don't install VPN clients and are unaware of the tunnel. Remote access VPN connects individual users from anywhere to the corporate network — each user runs a VPN client that creates a tunnel to the corporate VPN concentrator on demand.
AH (Authentication Header, IP 51) provides data integrity and authentication but no encryption — traffic is readable. ESP (Encapsulating Security Payload, IP 50) provides integrity, authentication, AND encryption. ESP is used in almost all VPN implementations because confidentiality requires encryption.
IPsec alone cannot carry multicast traffic or routing protocol hellos (OSPF, EIGRP use multicast). GRE creates a point-to-point tunnel that can carry any traffic including multicast. IPsec encrypts the GRE packets. The combination gives you routing protocol support (GRE) plus encryption (IPsec).
IKE Phase 1 establishes a secure, authenticated management channel (ISAKMP SA) using asymmetric encryption or pre-shared keys. Phase 2 uses this secure channel to negotiate the actual IPsec tunnel parameters (algorithms, keys for data encryption). Phase 2 is faster because Phase 1 already provided a secure channel.
They serve different needs. SSL VPN (like Cisco AnyConnect in SSL mode) uses HTTPS (TCP 443), which passes through almost any firewall — ideal for remote users on restrictive networks. IPsec VPN uses UDP 500 and IP protocol 50, which may be blocked. IPsec typically offers better performance. Most enterprises support both: IPsec for corporate devices, SSL for unmanaged devices.
Try free IPsec VPN practice questions with explanations, topic links and progress tracking.